Question

PIX 515E.....Proper DMZ setup PLEASE! *************3 simple objectives****************.

Asked by: ioglyphics

I have been trouble shooting this for over a week now and I am nearly in tears.  I am simply trying to facilitate a DMZ (which is set up) that will allow for..........

1.access to a staging server that our clients could get to our beta version of  a web app, and allow us to get to inside our LAN, by the url and not the internal IP that has (or now maybe had)  
I know DNS here is the issue but I am certain it is in the PIX and not my DNS servers settings, but I could be wrong

2. ftp

3.front end Exchange server with OWA

I have posted my config here for you to look at.


PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 retries 3
 timeout 3
 name-server 64.105.199.74
 name-server 64.105.159.250
 name-server 192.168.1.101
 domain-name dms.local
object-group service dns tcp
 port-object eq domain
object-group service deltek tcp
 description deltek frontend
 port-object eq 7001
 port-object eq 1433
 port-object eq www
object-group service TE tcp-udp
 description Deltek Frontend
 port-object eq 7001
object-group network LAN
 network-object 192.168.1.0 255.255.255.0
object-group network DMZ
 network-object host 192.168.2.42
 network-object host 192.168.2.52
 network-object host 67.103.180.198
 network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981d83301200ea24993546a3

NAT policies on Interface inside:
  match ip inside host 192.168.1.101 outside any
    static translation to 67.103.180.197
    translate_hits = 46190, untranslate_hits = 29608
  match ip inside 192.168.1.0 255.255.255.0 DMZ any
    static translation to 192.168.1.0
    translate_hits = 53, untranslate_hits = 1662
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (67.103.180.195)
    translate_hits = 355033, untranslate_hits = 21678
  match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 DMZ any
    dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
    translate_hits = 1767, untranslate_hits = 11

NAT policies on Interface DMZ:
  match ip DMZ host 192.168.2.42 outside any
    static translation to 67.103.180.198
    translate_hits = 4836, untranslate_hits = 22524
  match ip DMZ host 192.168.2.52 outside any
    static translation to 67.103.180.199
    translate_hits = 0, untranslate_hits = 475
  match ip DMZ 192.168.2.0 255.255.255.0 outside any
    dynamic translation to pool 2 (67.103.180.196)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-03-30 at 15:04:59ID22483971
Tags

pix

,

dmz

,

515e

Topics

Application Protocols

,

Domain Name Service (DNS)

,

Cisco PIX Firewall

Participating Experts
1
Points
500
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PIX and xlate problems
    I administer a PIX IOS 6.2(2), and I have problems connecting to an external FTP/Telnet server, the error is as follows: %PIX-3-305006: portmap translation creation failed for tcp src inside:11.254.20.43/1589 dst outside:204.153.24.233/21 the problem is solved after I ...
  2. Pix 515e DMZ problems
    I have a pix 515E and i am trying to allow my inside hosts access to my dmz hosts. However i am not having a lot luck in this process. I also am hanging a Vpn Hardware client off of the DMZ that will tunnel into one of our corp sites. There are some static translations that i...
  3. DMZ routing on PIX
    I have a PIX 515e running v6.3(5). I've recently turned up the DMZ interface and want to place a web server behind it. I've set up the interfaces and created the proper rules but no one on the Internet can access the server. This is the message that I get in the syslog ser...
  4. PIX DMZ to DMZ routing problem
    Hi, I have a routing/connection problem that I can’t figure out. We have redundant Cisco PIX’s in our production environment. I just added a 4 port NIC to both PIX’s so we could add a second DMZ. The new DMZ and the current DMZ need to communicate. This is temporary so un...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: lrmoorePosted on 2007-03-30 at 17:04:30ID: 18827146

Several issues here...

>global (DMZ) 1 interface
>static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

The global statement is not necessary with the static. Suggest removing the global and keep the static.

>object-group network DMZ
This group should only contain the two 192.168.1.x addresses and not the public IP's. Suggest 2 groups:

object-group network DMZ
 network-object host 192.168.2.42
 network-object host 192.168.2.52
object-group network DMZ_public
 network-object host 67.103.180.198
 network-object host 67.103.180.199

>access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
The source port will not be 25, but the destination wll be 25. Source port is random >1024. Don't you want to send email to only one mail server inside?
Suggest:
 access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq smtp

>access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
Same issue with this and other acl entries. The source port will not be the same as the destination port.
Correct entry does not specify source port.
  access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp

Here's my suggested DMZ Acl:
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp-data
access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN object-group deltek
access-list DMZ_access_in deny ip object-group DMZ object-group LAN
access-list DMZ_access_in extended permit tcp object-group DMZ eq www any
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp any
access-list DMZ_access_in extended permit tcp object-group DMZ eq https any
access-list DMZ_access_in extended permit tcp object-group DMZ eq ssh any


>access-list inside_access_in extended permit ip any any
>access-group inside_access_in in interface inside
This acl is redundant to the default allow all and should be removed from the inside interface. Only apply an acl to the inside interface to restrict traffic outbound.

> and allow us to get to inside our LAN, by the url and not the internal IP that has
This is the hard part. The ONLY way you can access internal hosts by their public URL that resolves to their public IP address is through DNS re-write. This means that the DNS server the clients use lives outside the firewall, and the firewall intercepts the dns responses and re-writes them to actually give the client the real private IP address. Since your DNS servers live inside the firewall, you must have an internal-only dns server that resolves the url to the private IP address, and a public dns server that resolves the url to the public IP addresses.

 

by: ioglyphicsPosted on 2007-03-30 at 19:40:33ID: 18827547

Thank you very much!  Everything you explained makes total since.  I will apply it all on Monday.  I will go ahead and accept your response as the solution, and try and contact you if anything fails to work.

Thanks,
ioglyphics

 

by: ioglyphicsPosted on 2007-04-02 at 08:00:59ID: 18836866

lrmoore,

One other requirement I didn't mention because I didn't know it was an issue is web access to host IN the DMZ.  I can't seem to configure the proper rule to achieve this.  Each time I set up what I think is write it stops web access to the LAN????  Help with this would be greateful, eveything else you suggested worked.

ioglyphics

 

by: lrmoorePosted on 2007-04-02 at 08:12:46ID: 18836986

It looks like you have the required entries:
Let's take publiw www server .198 as example:
//--Static XLATE to public IP - check
>static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255

//--Permit tcp/80 inbound to public IP - check
>access-list Access_in extended permit tcp any host 67.103.180.198 eq www

//--Acl actually applied to interface - check
>access-group Access_in in interface outside

Those should be all you need to get traffic IN to the server. Now let's examine what can go OUT of the DMZ to outside:

//--Is www traffic from host 192.168.2.42 allowed "in" on the DMZ interface?
//-- If you added this as in my example, the answer is yes
>access-list DMZ_access_in extended permit tcp object-group DMZ eq www any

//-- is the proper server in this group? Yes
object-group network DMZ
 network-object host 192.168.2.42 <==

Does this server have the proper default gateway assigned?
Are you trying to access this server by Public IP from OUTside the network? - If all above conditions check out, then you should be able to.
Are you trying to access this server by Public IP from INside the network? - you can't and this is a design feature of the PIX.

Can you post your current running config, and what exact commands that you try to enter when it stops web access to the LAN?

 

by: ioglyphicsPosted on 2007-04-02 at 08:43:40ID: 18837265

when I am logged into the server I can not browse the web or ping any external host (i.e. 4.2.2.2) as I can from my LAN.  I need to have access to the web from the server.  If you could, please check this link to see if you can reach it:   http://demo.dmsva.com/prisms/login.cfm
As of last week we could get to this from OUTside our LAN.  Prior to that and I am not sure why or who changed it, only one of to NIC's in the host were enabled, and it's IP address was set with the public IP 67.103.180.198, which resolved to the link I asked you to check.  It makes since to me that you would not be able to reach it, because the domain name in the URL in question is set to the public IP, 67.103.180.198
I support a bunch of developers that have never had a LAN Admin, and they all still have free access to the servers for now.  I can get to the URL internally now because the IP in use on the only enabled NIC is the private address 192.168.2.42.  I posted the config, and I did apply all your suggestions.
The IP setting on the host in question(which I guess is wrong) is...
IP - 192.168.2.42
SM - 255.255.255.0
DG - 192.168.2.1

Two things....

1. "global (DMZ) 1 interface" still shows up in the config, though I removed it by entering "no" in front of this command.  Is there anything else I need to do to get rid of it?  When I run "no global (DMZ) 1 interface" it gives an ERROR stating that it doesn't exist.

2. Is there anything wrong with having muliti honed machines in the DMZ, one have the public and the other having a private IP?  I was informed that his can cause a loop, but in past experience I have seen boxes in a DMZ set up this way?  Basically my question really is, what IP address has to be on the one NIC in a host located in the DMZ if it only has one NIC or is two NIC's needed one with the Public and the other with the Private IP addesses?


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 retries 3
 timeout 3
 name-server 64.105.199.74
 name-server 64.105.159.250
 name-server 192.168.1.101
 domain-name dms.local
object-group service dns tcp
 port-object eq domain
object-group service deltek tcp
 description deltek frontend
 port-object eq 7001
 port-object eq 1433
 port-object eq www
object-group service TE tcp-udp
 description Deltek Frontend
 port-object eq 7001
object-group network LAN
 network-object 192.168.1.0 255.255.255.0
object-group network DMZ
 network-object host 192.168.2.42
 network-object host 192.168.2.52
 network-object host 67.103.180.198
 network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981d83301200ea24993546a3

 

by: lrmoorePosted on 2007-04-02 at 09:11:06ID: 18837443

The web site works fine.
This looks like the old config that should not work.

In order to browse the internet from the server console, we need to allow that out via the access-list:
 add the following:
access-list DMZ_access_in extended permit tcp object-group DMZ any eq www
access-list DMZ_access_in extended permit tcp object-group DMZ any eq https
access-list DMZ_access_in extended permit udp object-group DMZ any eq domain

 

by: lrmoorePosted on 2007-04-02 at 09:12:46ID: 18837455

>Is there anything wrong with having muliti honed machines in the DMZ,
Yes, it defeats the whole purpose of having a DMZ - that is to have an actual firewall between the DMZ machines and the internal network. When dual-homed, If any DMZ machine is compromised, so is your entire internal network.
My advice - don't do it.

 

by: ioglyphicsPosted on 2007-04-02 at 09:20:17ID: 18837518

Everything WORKS!

Thanks again lrmoore!

Good advice on the multi honed question.  All my requirements are met so there is no need for me to implement any work around.

 

by: lrmoorePosted on 2007-04-02 at 10:28:37ID: 18838023

Glad to hear it!

- Cheers!
<8-}

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...